Analysis Overview
SHA256
29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63
Threat Level: Known bad
The file 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-10 10:27
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 10:27
Reported
2024-05-10 10:29
Platform
win7-20240215-en
Max time kernel
149s
Max time network
133s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2244 set thread context of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2940 set thread context of 1140 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2940 set thread context of 1140 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2480 set thread context of 1140 | N/A | C:\Windows\SysWOW64\wininit.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"
C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wkb41961shv.com | udp |
| US | 8.8.8.8:53 | www.omf.fo | udp |
| US | 44.227.76.166:80 | www.omf.fo | tcp |
| US | 8.8.8.8:53 | www.521745.cc | udp |
| KR | 104.37.214.75:80 | www.521745.cc | tcp |
| US | 8.8.8.8:53 | www.isthistheyearofsrt.com | udp |
| US | 76.223.105.230:80 | www.isthistheyearofsrt.com | tcp |
| US | 8.8.8.8:53 | www.hizlitakibin.com | udp |
Files
memory/2244-10-0x00000000000B0000-0x00000000000B4000-memory.dmp
memory/2940-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2940-12-0x00000000008A0000-0x0000000000BA3000-memory.dmp
memory/2940-16-0x00000000001C0000-0x00000000001D5000-memory.dmp
memory/1140-14-0x0000000000100000-0x0000000000200000-memory.dmp
memory/2940-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1140-17-0x0000000007040000-0x0000000007182000-memory.dmp
memory/1140-22-0x0000000006650000-0x000000000677D000-memory.dmp
memory/2940-21-0x0000000000210000-0x0000000000225000-memory.dmp
memory/2940-20-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1140-19-0x0000000007040000-0x0000000007182000-memory.dmp
memory/2480-24-0x0000000000150000-0x000000000016A000-memory.dmp
memory/2480-23-0x0000000000150000-0x000000000016A000-memory.dmp
memory/2480-25-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1140-27-0x0000000006650000-0x000000000677D000-memory.dmp
memory/1140-30-0x0000000005080000-0x000000000516D000-memory.dmp
memory/1140-32-0x0000000005080000-0x000000000516D000-memory.dmp
memory/1140-35-0x0000000005080000-0x000000000516D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 10:27
Reported
2024-05-10 10:29
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
144s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3884 set thread context of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4456 set thread context of 3436 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4856 set thread context of 3436 | N/A | C:\Windows\SysWOW64\wlanext.exe | C:\Windows\Explorer.EXE |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3884 -ip 3884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 704
C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.4ast6.us | udp |
| DE | 91.195.240.123:80 | www.4ast6.us | tcp |
| US | 8.8.8.8:53 | 123.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.herendkdocsmicroviewj.com | udp |
| US | 8.8.8.8:53 | www.521745.cc | udp |
| KR | 104.37.214.75:80 | www.521745.cc | tcp |
| US | 8.8.8.8:53 | 75.214.37.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.9072316z.vip | udp |
| US | 8.8.8.8:53 | www.kinghood.co | udp |
| CA | 23.227.38.74:80 | www.kinghood.co | tcp |
| US | 8.8.8.8:53 | 74.38.227.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.465172.com | udp |
| GB | 13.224.81.9:80 | www.465172.com | tcp |
| US | 8.8.8.8:53 | 9.81.224.13.in-addr.arpa | udp |
Files
memory/3884-10-0x0000000000FB0000-0x0000000000FB4000-memory.dmp
memory/4456-11-0x00000000006F0000-0x000000000071F000-memory.dmp
memory/4456-14-0x0000000001100000-0x000000000144A000-memory.dmp
memory/4456-16-0x0000000001580000-0x0000000001595000-memory.dmp
memory/4456-15-0x00000000006F0000-0x000000000071F000-memory.dmp
memory/3436-17-0x0000000002E60000-0x0000000002F66000-memory.dmp
memory/4856-20-0x0000000000D60000-0x0000000000D77000-memory.dmp
memory/4856-18-0x0000000000D60000-0x0000000000D77000-memory.dmp
memory/4856-21-0x00000000012E0000-0x000000000130F000-memory.dmp
memory/3436-23-0x0000000002E60000-0x0000000002F66000-memory.dmp
memory/3436-26-0x0000000008DF0000-0x0000000008F4A000-memory.dmp
memory/3436-27-0x0000000008DF0000-0x0000000008F4A000-memory.dmp
memory/3436-30-0x0000000008DF0000-0x0000000008F4A000-memory.dmp